Topic 7: Secret
A Secret is an object that contains a small amount of sensitive data, such as a password, a token, or a key.
Using a Secret, you don’t need to include confidential data in your application code.
Secrets are similar to ConfigMaps but are specifically intended to hold confidential data.
Individual secrets are limited to 1MiB in size and are to discourage the creation of huge secrets that could exhaust the API server and kubelet memory.
Kubernetes Secrets are, by default, stored unencrypted in the API server’s underlying data store (etcd).
To safely use Secrets, take at least the following steps:
1. Enable Encryption at Rest for Secrets.
2. Enable or Configure RBAC Rules that restrict reading and writing the Secret. Be aware that secrets can be obtained implicitly by anyone with permission to create a Pod.
3. Where appropriate, use mechanisms such as RBAC to limit which principals can create new Secrets or replace existing ones.
There are three main ways for a Pod to use a Secret:
1. As files in a volume mounted on one or more of its containers.
2. As Container Environment Variable.
3. By the `kubelet` when pulling images for the Pod.
